We have been running 3.0.4 on CentOS, authenticating against openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed functionality only available in 3.0.11. I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from github and the 3.0.4 specfile as a template, so that the same directories and settings were used as for 3.0.4. We are using ldap on port 389 with start_tls The client certificate is loaded from a PEM file in /etc/raddb/certs/ The server certificate is loaded from the NSS database /etc/raddb/certs/cert8.db Initially after radiusd is started, authentication works properly. We see in debug output ... (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ... rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database. rlm_ldap (ldap): Bind successful ..(1) Sent Access-Accept Id 170 after running for a bit, with the same radius client request, we get TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. rlm_ldap (ldap): Could not start TLS: Connect error ... (2) Sent Access-Reject Id 217 On the openldap server in debug mode, I get an error TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0 Any ideas ? The openldap logs are somewhat cryptic -- Andrew Daviel, TRIUMF, Canada